HP 12500 Series User manual
HP 12500 Routing Switch Series
Security
Configuration Guide
Part number: 5998-2828
Software version: 12500-CMW520-R1825P01
Document version: 6W180-20130118
Legal and notice information
© Copyright 2013 Hewlett-Packard Development Company, L.P.
No part of this documentation may be reproduced or transmitted in any form or by any means without
prior written consent of Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice.
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS
MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained
herein or for incidental or consequential damages in connection with the furnishing, performance, or
use of this material.
The only warranties for HP products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or omissions contained
herein.
i
Contents
Security overview ························································································································································· 1
Network security threats···················································································································································1
Network security services·················································································································································1
Network security technologies·········································································································································1
Identity authentication ··············································································································································1
Access security··························································································································································2
Data security ·····························································································································································2
Connection control ···················································································································································3
Attack detection and protection······························································································································3
Other security technologies·····································································································································4
Configuring AAA ························································································································································· 5
FIPS compliance ································································································································································5
AAA overview ···································································································································································5
RADIUS······································································································································································6
HWTACACS ·························································································································································· 11
Domain-based user management ························································································································ 13
AAA across MPLS L3VPNs ··································································································································· 14
Protocols and standards ······································································································································· 14
RADIUS attributes ·················································································································································· 15
AAA configuration considerations and task list·········································································································· 18
Configuring AAA schemes············································································································································ 19
Configuring local users········································································································································· 19
Configuring RADIUS schemes······························································································································ 24
Configuring HWTACACS schemes····················································································································· 36
Configuring AAA methods for ISP domains················································································································ 43
Configuration prerequisites ·································································································································· 43
Creating an ISP domain ······································································································································· 43
Configuring ISP domain attributes······················································································································· 44
Configuring AAA authentication methods for an ISP domain·········································································· 45
Configuring AAA authorization methods for an ISP domain ··········································································· 47
Configuring AAA accounting methods for an ISP domain ··············································································· 48
Tearing down user connections···································································································································· 50
Displaying and maintaining AAA ································································································································ 50
AAA configuration examples········································································································································ 51
AAA for Telnet users by an HWTACACS server ······························································································· 51
AAA for Telnet users by separate servers··········································································································· 52
Authentication/authorization for SSH/Telnet users by a RADIUS server························································ 54
AAA for 802.1X users by a RADIUS server ······································································································· 57
Level switching authentication for Telnet users by an HWTACACS server····················································· 62
Troubleshooting AAA ···················································································································································· 65
Troubleshooting RADIUS······································································································································· 65
Troubleshooting HWTACACS······························································································································ 67
802.1X overview ·······················································································································································68
802.1X architecture······················································································································································· 68
Controlled/uncontrolled port and port authorization status······················································································ 68
802.1X-related protocols ·············································································································································· 69
Packet formats························································································································································ 69
EAP over RADIUS ·················································································································································· 71
ii
Initiating 802.1X authentication··································································································································· 71
802.1X client as the initiator································································································································ 71
Access device as the initiator······························································································································· 71
802.1X authentication procedures ······························································································································ 72
A comparison of EAP relay and EAP termination······························································································ 72
EAP relay································································································································································ 73
EAP termination ····················································································································································· 74
Configuring 802.1X ··················································································································································76
HP implementation of 802.1X ······································································································································ 76
Access control methods ········································································································································ 76
Using 802.1X authentication with other features ······························································································ 76
Configuration prerequisites··········································································································································· 79
802.1X configuration task list······································································································································· 79
Enabling 802.1X···························································································································································· 79
Enabling EAP relay or EAP termination ······················································································································· 80
Setting the port authorization state ······························································································································ 80
Specifying an access control method ·························································································································· 81
Setting the maximum number of concurrent 802.1X users on a port······································································· 82
Setting the maximum number of authentication request attempts ············································································· 82
Setting the 802.1X authentication timeout timers······································································································· 82
Configuring the online user handshake function ········································································································ 83
Configuration guidelines ······································································································································ 83
Configuration procedure ······································································································································ 83
Configuring the authentication trigger function ·········································································································· 84
Configuration guidelines ······································································································································ 84
Configuration procedure ······································································································································ 84
Specifying a mandatory authentication domain on a port························································································ 85
Configuring the quiet timer ··········································································································································· 85
Enabling the periodic online user re-authentication function····················································································· 86
Configuring an 802.1X guest VLAN ··························································································································· 86
Configuring an 802.1X Auth-Fail VLAN······················································································································ 87
Specifying supported domain name delimiters··········································································································· 88
Displaying and maintaining 802.1X ··························································································································· 89
802.1X configuration examples··································································································································· 89
802.1X authentication configuration example ·································································································· 89
802.1X guest VLAN and VLAN assignment configuration example······························································· 91
Configuring MAC authentication······························································································································95
Overview········································································································································································· 95
User account policies············································································································································ 95
Authentication approaches ·································································································································· 95
MAC authentication timers··································································································································· 96
Using MAC authentication with VLAN assignment ···································································································· 96
MAC authentication configuration task list ················································································································· 96
Basic configuration for MAC authentication··············································································································· 96
Configuration prerequisites ·································································································································· 96
Configuration procedure ······································································································································ 97
Specifying an authentication domain for MAC authentication users ······································································· 98
Displaying and maintaining MAC authentication ······································································································ 98
MAC authentication configuration examples·············································································································· 99
Local MAC authentication configuration example····························································································· 99
RADIUS-based MAC authentication configuration example···········································································100
Configuring portal authentication·························································································································· 103
Overview·······································································································································································103
iii
Extended portal functions ···································································································································103
Portal system components···································································································································103
Portal authentication mode·································································································································105
Portal authentication process ·····························································································································106
Portal authentication across VPNs·····················································································································108
Portal configuration task list ········································································································································108
Configuration prerequisites·········································································································································109
Specifying the portal server ········································································································································110
Enabling portal authentication····································································································································110
Configuration restrictions and guidelines ·········································································································110
Configuration procedure ····································································································································111
Controlling access of portal users ······························································································································111
Configuring a portal-free rule·····························································································································111
Configuring an authentication subnet ···············································································································112
Setting the maximum number of online portal users························································································113
Specifying an authentication domain for portal users·····················································································113
Configuring RADIUS related attributes ······················································································································114
Specifying NAS-Port-Type for an interface ·······································································································114
Specifying a source IP address for outgoing portal packets ···················································································115
Specifying an automatic redirection URL for authenticated portal users································································115
Configuring portal detection functions·······················································································································116
Configuring the portal server detection function······························································································116
Configuring portal user information synchronization······················································································117
Logging out portal users··············································································································································118
Configuring the control mode for portal user packets ·····························································································118
Enabling portal user roaming ·····································································································································119
Displaying and maintaining portal ····························································································································120
Portal configuration examples ····································································································································120
Configuring direct portal authentication···········································································································121
Configuring re-DHCP portal authentication······································································································125
Configuring cross-subnet portal authentication ································································································127
Configuring direct portal authentication with extended functions··································································129
Configuring re-DHCP portal authentication with extended functions ····························································131
Configuring cross-subnet portal authentication with extended functions·······················································133
Configuring portal server detection and portal user information synchronization·······································135
Cross-subnet portal authentication across VPNs ······························································································141
Troubleshooting portal·················································································································································143
Inconsistent keys on the access device and the portal server·········································································143
Incorrect server port number on the access device··························································································143
Configuring password control································································································································ 145
Overview·······································································································································································145
FIPS compliance ···························································································································································147
Password control configuration task list·····················································································································147
Configuring password control ····································································································································148
Enabling password control·································································································································148
Setting global password control parameters····································································································149
Setting user group password control parameters ····························································································150
Setting local user password control parameters ······························································································150
Setting super password control parameters ·····································································································151
Setting a local user password in interactive mode ··························································································151
Displaying and maintaining password control ·········································································································152
Password control configuration example ··················································································································152
iv
Managing public keys············································································································································ 155
Overview·······································································································································································155
Public key configuration task list·································································································································156
Configuring a local asymmetric key pair on the local device·················································································156
Creating a local asymmetric key pair···············································································································156
Displaying or exporting the local host public key ···························································································157
Destroying a local asymmetric key pair············································································································158
Specifying the peer public key on the local device··································································································158
Displaying and maintaining public keys ···················································································································159
Public key configuration examples·····························································································································160
Manually specifying the peer public key on the local device ········································································160
Importing a public key from a public key file···································································································162
Configuring IPsec ···················································································································································· 165
Overview·······································································································································································165
Basic concepts ·····················································································································································165
IPsec for IPv6 routing protocols··························································································································168
IPsec RRI································································································································································168
Protocols and standards ·····································································································································168
Implementing IPsec·······················································································································································168
Implementing ACL-based IPsec ···································································································································169
Configuring an ACL ············································································································································169
Configuring an IPsec proposal ··························································································································172
Configuring an IPsec policy ·······························································································································174
Applying an IPsec policy group to an interface·······························································································178
Configuring the IPsec session idle timeout········································································································178
Enabling ACL checking of de-encapsulated IPsec packets ·············································································179
Configuring the IPsec anti-replay function ········································································································179
Configuring packet information pre-extraction ································································································180
Enabling invalid SPI recovery ····························································································································180
Configuring IPsec RRI··········································································································································181
Configuring IPsec for IPv6 routing protocols·············································································································182
Displaying and maintaining IPsec ······························································································································183
IPsec configuration examples······································································································································183
Configuring a manual mode IPsec tunnel for IPv4 packets ············································································183
Configuring an IKE-based IPsec tunnel for IPv4 packets ·················································································186
Configuring IPsec for RIPng································································································································189
Configuring IPsec RRI··········································································································································192
Configuring IKE······················································································································································· 196
Overview·······································································································································································196
IKE security mechanism·······································································································································196
IKE operation ·······················································································································································196
IKE functions·························································································································································197
Relationship between IKE and IPsec··················································································································198
Protocols and standards ·····································································································································198
IKE configuration task list ············································································································································198
Configuring a name for the local security gateway·································································································199
Configuring an IKE proposal ······································································································································199
Configuring an IKE peer··············································································································································200
Setting keepalive timers···············································································································································202
Setting the NAT keepalive timer·································································································································203
Configuring a DPD detector········································································································································203
Disabling next payload field checking ······················································································································203
Displaying and maintaining IKE·································································································································204
v
IKE configuration example ··········································································································································204
Troubleshooting IKE ·····················································································································································205
Invalid user ID······················································································································································206
Proposal mismatch ··············································································································································206
Failing to establish an IPsec tunnel····················································································································206
ACL configuration error ······································································································································207
Configuring SSH ····················································································································································· 208
Overview·······································································································································································208
SSH operation ·····················································································································································208
SSH authentication ··············································································································································209
SSH support for MPLS L3VPN ····························································································································210
FIPS compliance ···························································································································································210
Configuring the device as an SSH server··················································································································210
SSH server configuration task list ······················································································································210
Generating local DSA or RSA key pairs···········································································································211
Enabling the SSH server function·······················································································································211
Enabling the SFTP server function······················································································································212
Configuring the user interfaces for SSH clients································································································212
Configuring a client's host public key···············································································································212
Configuring an SSH user····································································································································214
Setting the SSH management parameters ········································································································215
Configuring the device as an Stelnet client···············································································································216
Stelnet client configuration task list····················································································································216
Specifying a source IP address or source interface for the Stelnet client ······················································216
Enabling and disabling first-time authentication ······························································································217
Establishing a connection to an Stelnet server ·································································································217
Configuring the device as an SFTP client ··················································································································218
SFTP client configuration task list·······················································································································218
Specifying a source IP address or source interface for the SFTP client ·························································218
Establishing a connection to an SFTP server ····································································································219
Working with SFTP directories···························································································································219
Working with SFTP files······································································································································220
Displaying help information ·······························································································································221
Terminating the connection with the SFTP server ·····························································································221
Configuring the device as an SCP client ···················································································································221
SCP client configuration task list························································································································221
Transferring files with an SCP server·················································································································221
Displaying and maintaining SSH ·······························································································································222
Stelnet configuration examples···································································································································222
Password authentication enabled Stelnet server configuration example ······················································223
Publickey authentication enabled Stelnet server configuration example·······················································225
Password authentication enabled Stelnet client configuration example························································230
Publickey authentication enabled Stelnet client configuration example························································233
SFTP configuration examples ······································································································································235
Password authentication enabled SFTP server configuration example··························································235
Publickey authentication enabled SFTP client configuration example ···························································237
File transfer with password authentication ·······································································································241
Configuring blacklist··············································································································································· 243
Overview·······································································································································································243
Configuring the blacklist function·······························································································································243
Displaying and maintaining the blacklist ··················································································································244
Blacklist configuration example··································································································································244
Network requirements·········································································································································244
vi
Configuration procedure ····································································································································244
Verifying the configuration·································································································································244
Configuring TCP and ICMP attack protection······································································································· 246
Overview·······································································································································································246
Enabling the SYN Cookie feature ······························································································································246
Enabling protection against Naptha attacks·············································································································247
Disabling forwarding ICMP fragments ······················································································································248
Displaying and maintaining TCP and ICMP attack protection················································································248
Configuring IP source guard ·································································································································· 249
Overview·······································································································································································249
Static IP source guard entries·····························································································································249
Dynamic IP source guard entries ·······················································································································250
IP source guard configuration task list ·······················································································································250
Configuring the IPv4 source guard function··············································································································251
Configuring IPv4 source guard on a port·········································································································251
Configuring a static IPv4 source guard entry···································································································252
Setting the maximum number of IPv4 source guard entries············································································252
Configuring the IPv6 source guard function··············································································································253
Configuring IPv6 source guard on a port·········································································································253
Configuring a static IPv6 source guard entry···································································································254
Setting the maximum number of IPv6 source guard entries············································································255
Displaying and maintaining IP source guard············································································································255
IP source guard configuration examples ···················································································································257
Static IPv4 source guard entry configuration example····················································································257
Dynamic IPv4 source guard by DHCP snooping configuration example······················································259
Dynamic IPv4 source guard by DHCP relay configuration example·····························································260
Static IPv6 source guard entry configuration example····················································································261
Dynamic IPv6 source guard by DHCPv6 snooping configuration example ·················································262
Dynamic IPv6 source guard by ND snooping configuration example··························································263
Troubleshooting IP source guard ································································································································264
Neither static binding entries nor the dynamic binding function can be configured···································264
Configuring ARP attack protection························································································································· 265
Overview·······································································································································································265
ARP attack protection configuration task list ·············································································································265
Configuring ARP defense against IP packet attacks·································································································266
Introduction ··························································································································································266
Configuring ARP source suppression ················································································································266
Enabling ARP black hole routing ·······················································································································266
Displaying and maintaining ARP defense against IP packet attacks·····························································267
Configuring ARP packet rate limit ······························································································································267
Introduction ··························································································································································267
Configuration procedure ····································································································································267
Configuring source MAC address based ARP attack detection ·············································································267
Displaying and maintaining source MAC address based ARP attack detection··········································268
Configuring ARP packet source MAC address consistency check ·········································································269
Introduction ··························································································································································269
Configuration procedure ····································································································································269
Configuring ARP active acknowledgement ···············································································································269
Introduction ··························································································································································269
Configuration procedure ····································································································································269
Configuring authorized ARP ·······································································································································270
Introduction ··························································································································································270
Configuration procedure ····································································································································270
vii
Authorized ARP configuration example (on a DHCP server)··········································································270
Authorized ARP configuration example (on a DHCP relay agent) ································································272
Configuring ARP detection··········································································································································273
Introduction ··························································································································································273
Enabling ARP detection based on static IP source guard binding entries/DHCP snooping entries/802.1x
security entries/OUI MAC addresses ···············································································································274
Configuring ARP detection based on specified objects ··················································································275
Configuring ARP restricted forwarding ·············································································································276
Displaying and maintaining ARP detection ······································································································276
ARP detection configuration example 1············································································································276
ARP detection configuration example 2············································································································278
ARP restricted forwarding configuration example ···························································································279
Configuring ND attack defense ····························································································································· 282
Overview·······································································································································································282
Enabling source MAC consistency check for ND packets·······················································································283
Configuring the ND detection function······················································································································283
Introduction to ND detection ······························································································································283
Configuration guidelines ····································································································································284
Configuration procedure ····································································································································284
Displaying and maintaining ND detection ·······································································································284
ND detection configuration example·························································································································285
Network requirements·········································································································································285
Configuration procedure ····································································································································286
Configuring URPF···················································································································································· 288
Overview·······································································································································································288
URPF check modes ··············································································································································288
URPF link layer check··········································································································································288
How URPF works ·················································································································································288
Configuring URPF·························································································································································289
URPF configuration example·······································································································································289
Configuring PKI ······················································································································································· 291
Overview·······································································································································································291
PKI terms·······························································································································································291
PKI architecture····················································································································································292
PKI operation ·······················································································································································293
PKI applications ···················································································································································293
PKI configuration task list ············································································································································293
Configuring an entity DN············································································································································294
Configuring a PKI domain···········································································································································295
Submitting a PKI certificate request····························································································································296
Submitting a certificate request in auto mode··································································································297
Submitting a certificate request in manual mode·····························································································297
Retrieving a certificate manually ································································································································298
Configuration guidelines ····································································································································298
Configuration procedure ····································································································································298
Configuring PKI certificate verification ······················································································································299
Configuring PKI certificate verification with CRL checking ·············································································299
Configuring PKI certificate verification without CRL checking ········································································300
Destroying a local RSA or ECDSA key pair··············································································································300
Deleting a certificate····················································································································································300
Configuring an access control policy ························································································································301
Displaying and maintaining PKI ·································································································································301
PKI configuration examples·········································································································································302
viii
Certificate request from an RSA Keon CA server ····························································································302
Certificate request from a Windows 2003 CA server ····················································································305
Certificate attribute access control policy configuration ·················································································308
Troubleshooting PKI ·····················································································································································309
Failed to retrieve a CA certificate······················································································································309
Failed to request a local certificate ···················································································································310
Failed to retrieve CRLs ········································································································································310
Configuring SSL······················································································································································· 312
Overview·······································································································································································312
SSL security mechanism ······································································································································312
SSL protocol stack ···············································································································································313
SSL configuration task list············································································································································313
Configuring an SSL server policy ·······························································································································313
SSL server policy configuration example···················································································································315
Configuring an SSL client policy ································································································································316
Displaying and maintaining SSL·································································································································317
Troubleshooting SSL·····················································································································································318
SSL handshake failure·········································································································································318
Configuring FIPS······················································································································································ 319
Overview·······································································································································································319
FIPS self-tests ·································································································································································319
Power-up self-test ·················································································································································319
Conditional self-tests············································································································································319
Triggered self-test·················································································································································319
Configuring FIPS···························································································································································320
Enabling FIPS mode ············································································································································320
Triggering a self-test ············································································································································320
Displaying and maintaining FIPS ·······························································································································321
FIPS configuration example·········································································································································321
Support and other resources ·································································································································· 323
Contacting HP ······························································································································································323
Subscription service ············································································································································323
Related information······················································································································································323
Documents····························································································································································323
Websites·······························································································································································323
Conventions ··································································································································································324
Index ········································································································································································ 326
1
Security overview
Many events happened on a network may bring threats to the network resource security, such as data
confidentiality, data integrity, and data availability. Network security services provide solutions to
remove or reduce the network security threats.
Network security threats
•Information disclosure—Information is leaked to an unauthorized person or entity.
•Damaging data integrity—Data integrity is damaged by unauthorized changing or destroying.
•Denial of service—Make information or other network resources unavailable to their intended
users.
•Unauthorized usage—Resources are used by unauthorized persons or in unauthorized ways.
Network security services
One security service is implemented by one or more network security technologies. One technology can
implement multiple services. A safe network needs the following services:
•Identity authentication—Identifies users and determines if a user is valid. Typical ways include
Authentication, Authorization, and Accounting (AAA)-based, user names plus passwords, and PKI
digital certificate mechanism.
•Access security—Controls behaviors that a user accesses network resource based on the result of
identity authentication, and prevents untrusted usage and access from performing privileged
actions. Major access security protocols include 802.1X, MAC authentication and portal
authentication, working together with AAA to implement user identity authentication.
•Data security—Encrypts and decrypts data during data transferring and storing. Typical encryption
mechanisms include symmetric encryption and asymmetric encryption, and their common
applications are IP security (IPsec), Secure Sockets Layer (SSL) and Secure Shell (SSH). IPsec secures
IP communications. SSL and SSH protects data transfer based on TCP.
•Attack detection and protection—Determines if traffic flows or received packets are attack packets
according to the packet contents and behaviors and, if detecting an attack, take measures to deal
with the attack for data link layer, network layer and application layer, including TCP and ICMP
attack protection, ARP attack prevention and IP Source Guard.
Network security technologies
Identity authentication
AAA
AAA provides a uniform framework for implementing network access management. It provides the
following security functions:
•Authentication—Identifies network users and determines whether the user is valid.
2
•Authorization—Grants user rights and controls user access to resources and services. For example,
a user who has successfully logged in to the device can be granted read and print permissions to
the files on the device.
•Accounting—Records all network service usage information, including service type, start time, and
traffic. The accounting function provides information required for charging, and allows for network
security surveillance.
AAA can be implemented through multiple protocols, such as RADIUS and HWTACACS, of which
RADIUS is most often used.
PKI
Public Key Infrastructure (PKI) uses a general security infrastructure to provide information security through
public key technologies. PKI employs the digital certificate mechanism to manage the public keys. The
digital certificate mechanism binds public keys to their owners, helping distribute public keys in large
networks securely. With digital certificates, the PKI system provides network communication, e-commerce
and e-Government with security services.
HP's PKI system provides digital certificate management for IPsec and SSL.
Access security
802.1X
802.1X is a port-based network access control protocol for securing wireless LANs (WLANs), and it has
also been widely used on Ethernet networks for access control. 802.1X controls network access by
authenticating the devices connected to 802.1X-enabled LAN ports.
MAC authentication
MAC authentication controls network access by authenticating source MAC addresses on a port. It does
not require client software and users do not need to enter a username and password for network access.
The device initiates a MAC authentication process when it detects an unknown source MAC address on
a MAC authentication enabled port. If the MAC address passes authentication, the user can access
authorized network resources.
Portal authentication
Portal authentication, also called "web authentication", helps control access to the Internet. You can input
a user name and password at the website for authentication. It does not require client software for access
control at the access layer and other data entrance that needs protection.
With portal authentication, an access device redirects all users to the portal authentication page. All
users can access the free services provided on the portal website. However, to access the Internet, a user
must pass portal authentication.
Data security
Managing public keys
Public key configuration enables you to manage the local asymmetric key pairs (such as creating and
destroying a local asymmetric key pair, displaying or exporting the local host public key), and configure
the peer host public keys on the local device.
3
IPsec
IPsec is a security framework for securing IP communications. It is a Layer 3 VPN technology mainly for
data encryption and data origin authentication.
SSL
SSL is a security protocol that provides secure connection services for TCP-based application layer
protocols such as HTTPS by using the public key mechanism and digital certificates. SSL is independent
of the application layer, so the connection at the application layer is safe, and unknown to SSL.
SSH
SSH is a network security protocol implementing remote login and file transfer securely over an insecure
network. Using encryption and authentication, SSH protects devices against attacks such as IP spoofing
and plaintext password interception.
Connection control
You can configure connection limit policies to collect statistics and limit the number of connections,
connection establishment rate, and connection bandwidth for protecting internal network resources
(hosts or servers) and properly allocating system resources on the device.
Attack detection and protection
ARP attack protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices, such as faking a trusted
user or gateway and ARP flooding attacks. HP has provided a comprehensive and effective solution
against those attacks.
ND attack defense
The IPv6 Neighbor Discovery (ND) protocol provides rich functions, but does not provide any security
mechanisms. Attackers can easily exploit the ND protocol to attack hosts and gateways by sending
forged packets. The device implements multiple ND attack detection technologies for defending against
these attacks, such as source MAC consistency check for ND packets and ND Detection.
IP Source Guard
IP Source Guard uses a binding entry to improve port security by blocking illegal packets. For example,
it can prevent invalid hosts from using a valid IP address to access the network. It is applied on an
interface connecting to the user side.
IP Source Guard can filter packets according to the packet source IP address, source MAC address, and
VLAN ID. A binding entry can be statically configured or dynamically added through DHCP or ND.
URPF
Unicast Reverse Path Forwarding (URPF) protects a network against source address spoofing attacks,
such as denial of service (DoS) and distributed denial of service (DDoS) attacks.
TCP and ICMP attack protection
Attackers can attack the device during the process of TCP connection establishment or by sending a large
number of ICMP fragments. To prevent such attacks, the device provides the following features:
•SYN Cookie
4
•Protection against Naptha attacks
•Disabling ICMP fragment forwarding
Other security technologies
The device also provides other network security technologies to implement a multifunctional and full
range of security protection for users. For example, password control is a set of functions for enhancing
the local password security, which controls user login passwords, super passwords, and user login status
based on predefined policies. Those policies include minimum password length, minimum password
update interval, password aging, and early notice on pending password expiration.
5
Configuring AAA
FIPS compliance
The switch supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.
AAA overview
Authentication, Authorization, and Accounting (AAA) provides a uniform framework for implementing
network access management. It can provide the following security functions:
•Authentication—Identifies users and determines whether a user is valid.
•Authorization—Grants different users different rights and controls their access to resources and
services. For example, a user who has successfully logged in to the switch can be granted read and
print permissions to the files on the switch.
•Accounting—Records all network service usage information of users, including the service type,
start time, and traffic. The accounting function not only provides the information required for
charging, but also allows for network security surveillance.
AAA usually uses a client/server model. The client runs on the network access server (NAS) and the
server maintains user information centrally. In an AAA network, a NAS is a server for users but a client
for the AAA servers. See Figure 1.
Figure 1 Network diagram for AAA
When a user tries to log in to the NAS, use network resources, or access other networks, the NAS
authenticates the user. The NAS can transparently pass the user’s authentication, authorization, and
accounting information to the servers. The RADIUS and HWTACACS protocols define how a NAS and
a remote server exchange user information between them.
In the network shown in Figure 1, there is a RADIUS server and an HWTACACS server. You can choose
different servers for different security functions. For example, you can use the HWTACACS server for
authentication and authorization, and the RADIUS server for accounting.
6
You can choose the three security functions provided by AAA as needed. For example, if your company
only wants employees to be authenticated before they access specific resources, you only need to
configure an authentication server. If network usage information is needed, you must also configure an
accounting server.
AAA can be implemented through multiple protocols. The switch supports using RADIUS and
HWTACACS. RADIUS is often used in practice.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol that
uses a client/server model. It can protect networks against unauthorized access and is often used in
network environments where both high security and remote user access are required.
RADIUS uses UDP as the transport protocol. It uses UDP port 1812 for authentication and UDP port 1813
for accounting.
RADIUS was originally designed for dial-in user access. With the addition of new access methods,
RADIUS has been extended to support additional access methods, such as Ethernet and ADSL. RADIUS
provides access authentication and authorization services, and its accounting function collects and
records network resource usage information.
Client/server model
The RADIUS client runs on the NASs located throughout the network. It passes user information to
designated RADIUS servers and acts on the responses (for example, rejects or accepts user access
requests).
The RADIUS server runs on the computer or workstation at the network center and maintains information
related to user authentication and network service access. It listens to connection requests, authenticates
users, and returns user access control information (for example, rejecting or accepting the user access
request) to the clients.
In general, the RADIUS server maintains the following databases: Users, Clients, and Dictionary.
Figure 2 RADIUS server components
•Users—Stores user information, such as the usernames, passwords, applied protocols, and IP
addresses.
•Clients—Stores information about RADIUS clients, such as shared keys and IP addresses.
•Dictionary—Stores RADIUS protocol attributes and their values.
Security and authentication mechanisms
RADIUS uses a shared key that is never transmitted over the network to authenticate Information
exchanged between a RADIUS client and the RADIUS server, enhancing the information exchange
security. In addition, to prevent user passwords from being intercepted on insecure networks, RADIUS
encrypts passwords before transmitting them.
7
A RADIUS server supports multiple user authentication methods, such as the Password Authentication
Protocol (PAP) and the Challenge Handshake Authentication Protocol (CHAP). Moreover, a RADIUS
server can act as the client of another AAA server to provide authentication proxy services.
Basic message exchange process
Figure 3 illustrates the interactions between the host, the RADIUS client, and the RADIUS server.
Figure 3 Basic message exchange process
RADIUS operates in the following manner:
1. The host initiates a connection request that carries the user’s username and password to the
RADIUS client.
2. Having received the username and password, the RADIUS client sends an authentication request
(Access-Request) to the RADIUS server, with the user password encrypted by using the
Message-Digest 5 (MD5) algorithm and the shared key.
3. The RADIUS server authenticates the username and password. If the authentication succeeds, the
server sends back an Access-Accept message containing the user’s authorization information. If
the authentication fails, the server returns an Access-Reject message.
4. The RADIUS client permits or denies the user according to the returned authentication result. If it
permits the user, it sends a start-accounting request (Accounting-Request) to the RADIUS server.
5. The RADIUS server returns a start-accounting response (Accounting-Response) and starts
accounting.
6. The user accesses the network resources.
7. The host requests the RADIUS client to tear down the connection and the RADIUS client sends a
stop-accounting request (Accounting-Request) to the RADIUS server.
8. The RADIUS server returns a stop-accounting response (Accounting-Response) and stops
accounting for the user.
8
RADIUS packet format
RADIUS uses UDP to transmit messages. To ensure smooth message exchange between the RADIUS
server and the client, RADIUS uses a series of mechanisms, including the timer management mechanism,
the retransmission mechanism, and the backup server mechanism. Figure 4 shows the RADIUS packet
format.
Figure 4 RADIUS packet format
The Code field (1 byte long) indicates the type of the RADIUS packet.
Table 1 Main values of the Code field
Code Packet type Description
1 Access-Request
From the client to the server. A packet of this type carries user
information for the server to authenticate the user. It must contain
the User-Name attribute and can optionally contain the attributes
of NAS-IP-Address, User-Password, and NAS-Port.
2 Access-Accept
From the server to the client. If all the attribute values carried in
the Access-Request are acceptable, the authentication succeeds,
and the server sends an Access-Accept response.
3 Access-Reject
From the server to the client. If any attribute value carried in the
Access-Request is unacceptable, the authentication fails and the
server sends an Access-Reject response.
4 Accounting-Request
From the client to the server. A packet of this type carries user
information for the server to start or stop accounting for the user.
The Acct-Status-Type attribute in the packet indicates whether to
start or stop accounting.
5 Accounting-Response
From the server to the client. The server sends a packet of this
type to notify the client that it has received the
Accounting-Request and has successfully recorded the
accounting information.
The Identifier field (1 byte long) is used to match request packets and response packets and to detect
duplicate request packets. Request and response packets of the same type have the same identifier.
The Length field (2 bytes long) indicates the length of the entire packet, including the Code, Identifier,
Length, Authenticator, and Attribute fields. Bytes beyond this length are considered padding and are
ignored at the receiver. If the length of a received packet is less than this length, the packet is dropped.
The value of this field is in the range of 20 to 4096.
9
The Authenticator field (16 bytes long) is used to authenticate replies from the RADIUS server and to
encrypt user passwords. There are two types of authenticators: request authenticator and response
authenticator.
The Attributes field (variable in length) carries the specific authentication, authorization, and accounting
information that defines the configuration details of the request or response. This field may contain
multiple attributes, each with three sub-fields:
•The Type filed (1 byte long) indicates the type of the attribute. It is in the range of 1 to 255. Table
2 lists the commonly used attributes for RADIUS authentication, authorization and accounting,
which are defined in RFC 2865, RFC 2866, RFC 2867, and RFC 2868. For more information about
these attributes, see "Commonly used standard RADIUS attributes."
•The Length field (1 byte long) indicates the length of the attribute in bytes, including the Type, Length,
and Value fields.
•The Value field (up to 253 bytes) indicates the value of the attribute. Its format and content depend
on the Type and Length fields.
Table 2 RADIUS attributes
No. Attribute No. Attribute
1 User-Name 45 Acct-Authentic
2 User-Password 46 Acct-Session-Time
3 CHAP-Password 47 Acct-Input-Packets
4 NAS-IP-Address 48 Acct-Output-Packets
5 NAS-Port 49 Acct-Terminate-Cause
6 Service-Type 50 Acct-Multi-Session-Id
7 Framed-Protocol 51 Acct-Link-Count
8 Framed-IP-Address 52 Acct-Input-Gigawords
9 Framed-IP-Netmask 53 Acct-Output-Gigawords
10 Framed-Routing 54 (unassigned)
11 Filter-ID 55 Event-Timestamp
12 Framed-MTU 56-59 (unassigned)
13 Framed-Compression 60 CHAP-Challenge
14 Login-IP-Host 61 NAS-Port-Type
15 Login-Service 62 Port-Limit
16 Login-TCP-Port 63 Login-LAT-Port
17 (unassigned) 64 Tunnel-Type
18 Reply-Message 65 Tunnel-Medium-Type
19 Callback-Number 66 Tunnel-Client-Endpoint
20 Callback-ID 67 Tunnel-Server-Endpoint
21 (unassigned) 68 Acct-Tunnel-Connection
22 Framed-Route 69 Tunnel-Password
23 Framed-IPX-Network 70 ARAP-Password
10
No. Attribute No. Attribute
24 State 71 ARAP-Features
25 Class 72 ARAP-Zone-Access
26 Vendor-Specific 73 ARAP-Security
27 Session-Timeout 74 ARAP-Security-Data
28 Idle-Timeout 75 Password-Retry
29 Termination-Action 76 Prompt
30 Called-Station-Id 77 Connect-Info
31 Calling-Station-Id 78 Configuration-Token
32 NAS-Identifier 79 EAP-Message
33 Proxy-State 80 Message-Authenticator
34 Login-LAT-Service 81 Tunnel-Private-Group-id
35 Login-LAT-Node 82 Tunnel-Assignment-id
36 Login-LAT-Group 83 Tunnel-Preference
37 Framed-AppleTalk-Link 84 ARAP-Challenge-Response
38 Framed-AppleTalk-Network 85 Acct-Interim-Interval
39 Framed-AppleTalk-Zone 86 Acct-Tunnel-Packets-Lost
40 Acct-Status-Type 87 NAS-Port-Id
41 Acct-Delay-Time 88 Framed-Pool
42 Acct-Input-Octets 89 (unassigned)
43 Acct-Output-Octets 90 Tunnel-Client-Auth-id
44 Acct-Session-Id 91 Tunnel-Server-Auth-id
Extended RADIUS attributes
The RADIUS protocol features excellent extensibility. Attribute 26 (Vendor-Specific), an attribute defined
by RFC 2865, allows a vendor to define extended attributes to implement functions that the standard
RADIUS protocol does not provide.
A vendor can encapsulate multiple sub-attributes in the type-length-value (TLV) format in RADIUS packets
for extension of applications. As shown in Figure 5, a sub-attribute encapsulated in Attribute 26 consists
of the following parts:
•Vendor-ID—ID of the vendor. Its most significant byte is 0; the other three bytes contains a code that
is compliant to RFC 1700. The vendor ID of HP is 25506. For more information about the
proprietary RADIUS sub-attributes of HP, see "HP proprietary RADIUS sub-attributes."
•Vendor-Type—Type of the sub-attribute.
•Vendor-Length—Length of the sub-attribute.
•Vendor-Data—Contents of the sub-attribute.
Other manuals for 12500 Series
12
Table of contents
Other HP Switch manuals
HP
HP 316095-B21 - StorageWorks Edge Switch 2/24 User manual
HP
HP StorageWorks MSA 2/8 - SAN Switch User manual
HP
HP FlexFabric 12900 series Installation manual
HP
HP J4111A Quick start guide
HP
HP 316095-B21 - StorageWorks Edge Switch 2/24 User manual
HP
HP v1810g User manual
HP
HP Aruba 8325 Series User manual
HP
HP ProCurve 3500yl-48G-PWR User manual
HP
HP NJ2000 User manual
HP
HP 3600 v2 Series Installation manual
Popular Switch manuals by other brands
Moeller
Moeller +ATEX-I1 installation instructions
Mine Site Technologies
Mine Site Technologies NS40 I.S. user manual
ADTRAN
ADTRAN NetVanta 1524ST Specification sheet
GarrettCom
GarrettCom Ethernet Networks and Web Management brochure
Comnet
Comnet CNFE4SMSPOE Installation and operation manual
RDL
RDL RACK-UP Series quick start guide
